Comments (20)
We cannot allow scripted signups like this
Do you have any evidence that these are scripted signups? Half a dozen accounts is not too many to sign up for. It's only a barrier if you need hundreds of accounts. I'd still like to prevent mechanical signups, but I don't expect it will help with the current issues.
from openstreetmap-website.
What exactly are you suggesting? We don't have a magic wand...
Presumably you are asking for a captcha? Which will have all the usual problems and probably also be a problem for the ongoing issues around third party authentication.
from openstreetmap-website.
Tel Aviv is gone from the map. Maybe things like this should be prevented somehow. https://www.openstreetmap.org/#map=14/32.0828/34.7637
from openstreetmap-website.
This ticket is about rate limiting signups - limiting edits is being discussed elsewhere though that only really applies to bulk edits as individual edits are almost impossible to prevent in advance.
from openstreetmap-website.
We have #1083 "suppress creating accounts by bots/scripts"
Is this or previous spam wave some share characteristics of accounts that could allow to detect or target malicious users, beyond blanket suppressing of automated account creation?
from openstreetmap-website.
#1083 has old (from 2015!) comment
Yes, a captcha would be nice, but as far as I know there aren't any non-proprietary, effective captchas available.
has it changed?
from openstreetmap-website.
Is this or previous spam wave some share characteristics of accounts that could allow to detect or target malicious users, beyond blanket suppressing of automated account creation?
What exactly do you think I've been doing for the last few weeks but trying to apply such blocks - options are limited when faced with a determined attacker.
A captcha is unlikely to help with the recent issues anyway as we long since stopped them doing bulk account creations and they now only create two or three at a time which can be done manually.
from openstreetmap-website.
In this case it was mostly directed at @SomeoneElseOSM to check is it intentional new issue or duplicate of #1083 "suppress creating accounts by bots/scripts"
I am well aware about ongoing attempt to apply various blocks using available methods (though definitely not about all of them)
A captcha is unlikely to help with the recent issues anyway as we long since stopped them doing bulk account creations and they now only create two or three at a time which can be done manually.
I seen it, so I assumed that "Prevent mechanical signups by malicious users" issue is about some other attack, maybe potential one.
from openstreetmap-website.
@matkoniecz The main reason why I raised this is because whatever we're doing as a project right now, it isn't good enough. Just in the last couple of hours we've had significant vandalism by at least 20495461, 20495462, 20499080, 20499083, 20499226, 20499230, and 20499223 (and possibly more - those are just the ones I've spotted).
We cannot allow scripted signups like this for a couple of reasons - one is to prevent vandalism, but another is to prevent "clever" people adding data mechanically to OS without the person submitting the data ever actually seeing the Contributor Terms etc. - if someone has never read what data is license-compatible with OSM how can we be sure that the data that they submit actually is?
Whether this is dealt with here or on #1083 I really don't care - but that issue has languished there since 2015.
We absolutely shouldn't underestimate the effort that @tomhughes has put into trying to resolve this - the rate limiting introduced by #4198 has helped greatly. There is, unfortunately, still more to do.
It does seem that the team working on this code is is vastly under-resourced - hence #3815, I guess . There are various ways that the root cause of that could be addressed (some discussed on that ticket, although I'm not convinced that "reviewing randomly-submitted PRs" - which is what it sounds like is happening at the moment - would really help).
from openstreetmap-website.
I would absolutely love to add a captcha to the signup, though not for the reasons you want them for because as I say I don't think it will help you at all.
Experience tells me however that any captcha will not be acceptable to the community in general.
Also they just don't work if https://elk.zone/en.osm.town/@[email protected]/111283441957439307 is to be believed.
from openstreetmap-website.
The way I think about captchas is: They are supposed to make it more annoying to do things for bad actors. But they cannot prevent someone who is really motivated to get in. However, increasing the barrier is still worth to filter some segments of bad acting.
I think about them like bicycle locks: They are all unsafe. It's more about how long it takes to pick them. Having one lock prevents some segment of thefts (opportunity thefts). Having two locks makes it annoying and prevents another segment of theft. But once an experienced thief comes along, the bike is goneβ¦
At betterplace.org we used the invisible Recaptcha (by Google) in this spirit. It made things very annoying for the less informed bad actor while still preserving a great UX for regular users.
I don't think Google (Invisible) Recaptcha is an option for us due to privacy topics. However, maybe a service like https://friendlycaptcha.com/ is something to look into.
from openstreetmap-website.
My proposal would be to delay sending out confirmation emails by up to 24 hours ("...for technical reasons..."), giving admins enough time to spot suspicuos patterns, with the option to remove those users early on.
from openstreetmap-website.
Absolutely not. That would prompt my immediate resignation.
from openstreetmap-website.
Oh, ok. Is your concern that angry folks start filling up your inbox, because they can't start mapping right away?
from openstreetmap-website.
Oh, ok. Is your concern that angry folks start filling up your inbox, because they can't start mapping right away?
Mapping parties and HOT and many other events have large groups of new signups.
Holding accounts would not be the best route for engagement.
from openstreetmap-website.
Oh, ok. Is your concern that angry folks start filling up your inbox, because they can't start mapping right away?
Absolutely. We already get a few people emailing us when the confirmation hasn't arrived 30 seconds after they signed up so there is no way I will be processing the tech support queue in OTRS if we make them wait 24 hours.
from openstreetmap-website.
Do you have any evidence that these are scripted signups?
The speed of accounts being created before rate limiting was introduced (1000s of users) suggests yes. After rate limiting, we're still seeing some sequential examples (like 20495461 and 20495462 above), suggesting scripting.
tech support queue in OTRS
I don't think a fixed 24 hour delay would be a good idea for all sorts of reasons, but surely we could do something - perhaps another queue in OTRS just for simpler things such as "approve a self-deletion request", handled by more people?
from openstreetmap-website.
That is the whole point though - we have limited them to extent that even if they aren't currently doing it manually they could do so.
So yes it might be automatic AT THE MOMENT but 24 hours after we add a captcha they'll just switch to doing it manually and we'll be back where I started.
So it would be much more useful for me to spend my time on rate limiting edits that on rate limiting accounts.
You just seem to be totally incapable of understanding that forcing me instead to actually spend my time repeating myself endlessly here and on IRC.
from openstreetmap-website.
Both things must to be implemented to be effective Prevent mechanical signups
and limit new users
. Since today there is no limit on what new users can do, vandals probably manually create accounts, but if limit new users
is added, next day they will start doing mechanical signups, making reverting job even harder since it will be spread among 100s of accounts...
from openstreetmap-website.
WE ALREADY ADDED RATE LIMITS TO COMBAT AUTOMATIC SIGNUPS.
I am now going to unsubscribe from this ticket in the interest of preserving my sanity.
from openstreetmap-website.
Related Issues (20)
- Remove help.openstreetmap.org from /help HOT 1
- History navigation inconsistent HOT 4
- Add Home Location privacy notice
- Proposal for Messages API HOT 8
- Disable boundaries in iD by default HOT 5
- Puntuaction and orthorgraphy in the website HOT 3
- Missing en translation: community.uk-london-mastodon.name HOT 3
- Add OAuth 1.0a deprecation warning to authorize.erb.html HOT 1
- Validation for note transitions HOT 7
- London Mastodon missing English translation HOT 2
- Whether to allow users to use easily confused characters such as "Zero-width Space" in their usernames. HOT 4
- Give thanks HOT 5
- Password Visibility Toggle in Login Page. HOT 1
- Allow a `/changesets` API call combining `order=oldest` and `time=` HOT 2
- Add issue support configuration for OpenStreetMap on translatewiki.net HOT 3
- Unable to start local server HOT 1
- Misoriented altitude labels on contour lines HOT 2
- [Duplicate] Changeset comment text is lost when switching entity pages HOT 1
- Changeset comment text is lost when switching entity pages HOT 6
- Reports via website do not reach DWG HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openstreetmap-website.